Decrypt Amnesia ransomware with Emsisoft’s free decrypter

Decrypt Amnesia ransomware with Emsisoft’s free decrypter

decrypter_amnesia_ransomware_banner

Today, Emsisoft CTO and Malware researcher Fabian Wosar released a free decrypter for a new Delphi-based ransomware called “Amnesia”, which began to appear on 26th April 2017.

How the Amnesia ransomware works

The main infection vector of Amnesia appears to be via RDP (remote desktop services) brute force attacks, which allow the malware author to log into the victim’s server and execute the ransomware.

Once the criminals have access, the malware will delete the system’s recovery points so shadow copies cannot be used to recover the files once encrypted. It will also copy itself into the %APPDATA% directory using the file name “guide.exe” and register itself within the “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce” key to start automatically during the next boot.

Since Amnesia ransomware does not contain an extension list, it will encrypt all file types on the machine. It does, however, exclude C:\WindowsC:\Program Files and various other folders from the encryption operation, so that boot operation and other critical processes are not impacted.

Amnesia encrypts up to the first 1 MB of files using AES-256 encryption in ECB mode. Once the files are locked this way, the malware will append the “.amnesia” extension to them.

How Amnesia ransomware victims are supposed to pay

Amnesia victims are asked to contact the malware author via email to “[email protected]”.

How to remove Amnesia ransomware encryption using the Emsisoft decrypter

As explained in our thorough ransomware removal guide, it’s critical to follow the right steps when dealing with and removing ransomware. We suggest to read it before attempting any hasty removal attempts.

For infected users that have verified the ransomware type and are just looking for the decrypter, you can download it for free on Emsisoft’s decrypter site.

Have a great (ransomware-free) day!